logs include:
Your precise GPS locations (which are also sent to their servers). Your WiFi network name. The IDs of nearby cell towers (even with no SIM card inserted, also sent to their servers). Your internet-facing IP address. The user token used by the device to authenticate with Rabbit's back-end API. Base64-encoded MP3s of everything the Rabbit has ever spoken to you (and the text transcript thereof).
Nasty :0
Shamelessly resubmitting my own article with a slightly more attention-grabbing title ;)
Shamelessly resubmitting my own..
If everyone shamelessly resubmitted their own stuff.....a.k.a "please don't delete and repost"
See also the "don't linkbait; don't editorialize" rule in relation to titles. ;-)
See also the "don't linkbait; don't editorialize" rule in relation to titles
I was going to argue that the actual author of the post is allowed to put whatever title they want on their actual article, but the actual article is titled
Jailbreaking RabbitOS (The Hard Way)
So... Yeah, actually this submission does seem to go against https://news.ycombinator.com/newsguidelines.html -
Otherwise please use the original title, unless it is misleading or linkbait; don't editorialize.
If it's a problem then I'll just edit the original article. The current title (on HN) is objective and accurate, and I received feedback that the original title buries the lede(s)
That seems sensible. Ignoring for a moment the HN guidelines, I agree that the new title is just a better description (I read it... either previously here or from lobsters, but yeah the actual content was good).
Given the situation, I'd recommend updating the article title, as it's definitely more interesting to someone who hasn't heard of RabbitOS!
Even if it’s not an issue, the title you chose now is simply more information dense as well. It’s all around better.
Thanks for the read :)
HN has actually a page entirely dedicated to posts that went overlooked and are therefore invited to resubmit
Rules aside I can see why title iteration can be good, i saw the original and didnt click it, but im glad i did this time
The rules are "don't delete and repost", not "don't repost".
Great write up! Thanks for putting so much work into this investigation and report.
Good call. Thank you for sharing, it’s really quite fascinating.
I don't have any interest in this product or sympathy for its manufacturer, but:
On July 12th, I asked Rabbit Inc. if they had any comments to make on the content of this article [...] As of the end of July 15th, they have not responded.
That *was* between zero and two working days, depending on how early on Friday the author asked them for comments and how late on Monday they waited for a response. It might've been better to wait a few more days. I doubt they would've responded even then, but it would've made the case of their incompetence stronger, and given them less ammo for a rebuttal should they choose to make one.
Nobody's defending Rabbit here, but that's chickenshit journalism, and it happens too often.
Since when is an individual's personal blog "journalism", and therefore expected to live up to that standard?
It might not be "journalism", but I think it's pretty reasonable to wait a week for responses before dropping serious accusations It's not exactly a onerous requirement to meet.
Reasonable? Sure.
Expected and therefore commented that it's chickenshit when it doesn't happen? Yeah, no. If this were a reputable news outlet, that expectation would be reasonable.
Most of what's mentioned in the article is not any new allegations. Rabbit has been berated for their GPL violations for over a month now and the excessive logging was rectified before he even sent in a request for comment.
Requesting comments were only a formality to address already voiced concerns
I think it's entirely reasonable to report what you find when you find it, and update later with responses received.
I take it as a compliment!
It was 1.5 working days, and there are other factors not mentioned in this article which meant they were lucky to get that (I could write a whole other article about how hostile and dismissive they've been to researchers). If they had requested an extension, I may have considered, but they didn't respond at all.
To elaborate, there are no new security disclosures made in this article. The logging issue has already received mainstream media coverage, after they resolved it and published an advisory, and people have been playing with flashing custom roms via mtkclient for months (as referenced in the article).
The only new "accusation" is that they are violating GPL. I informally asked them for GPL sources months ago via their community discord server, and I'm aware of others who have asked more formally.
Asking for their input on the article was a) giving them a courteous heads-up b) a formality c) an opportunity for them to correct me if they thought I said something untrue.
Sure, up to you. In any case I take it they still haven't responded?
Still no response.
It appears Rabbit had already released an update to address the issue on July 11th, the day before the author asked them for comment. They posted it here https://www.rabbit.tech/security-advisory-071124
As of 11 July, we’ve made the following changes:
Pairing data can no longer be used to read from rabbithole. It can only trigger actions.
Pairing data is no longer logged to the device.
We have reduced the amount of log data that gets stored on the device.
The Factory Reset option is now available via the settings menu. Customers should use this option to erase ALL data from their r1 prior to transferring ownership.
Why do people still care about failed garbage?
This is a large scam and we are curious to see what will happen. If they aren't sued, fined, imprisoned, court-ordered, or otherwise dealt justice it means something very toxic for tech as an industry. And if they are the drama will be fun.
You may as well ask "why do people like sports?", people are emotionally invested and that is enough.
Being a bad product or poorly engineered doesn't make something a "scam". There is an actual real NFT scam in this story before Rabbit though if you dig.
They lied, they promised X and delivered Y. That is a scam.
To expand on this, this isn't just a truth stretching. They didn't deliver X-1, they delivered rubbish. This isn't a tire that self heals small holes but doesn't live up to the commercial, this isn't another energy drink promising 5 hours of alertness and giving you caffeine jitters. These devices are just garbage, these are like essential oils or magic crystals promising to cure a disease or otherwise perform and simply not. They promised categories of features and faked demos so they knew it couldn't do X when they sold it.
But even worse, this device cannot do anything useful. This can't do A through W, I will grant it Y and Z because it boots and doesn't catch fire.
But even worse, this device tracks way too much and that might be leaked harming you.
There is no coherent way to claim this is not a scam in every sense of the word. And coming from people who committed other scams doesn't make this not one by comparison.
See the other comment about data harvesting
Reverse engineering is often interesting independently of whether the actual device was interesting.
Why do people care what others care about?
There is usually something important to learn from other people's failings
Possibly useful hardware components or package for cheap.
I find the ways in which things work less interesting than the ways in which they do not.
Because there are sometimes interesting things that get thrown in the garbage. The author clearly doesn't care about the product as a product (otherwise they'd have bought one new, and this article would be completely different), they care about it as a technical puzzle, with secrets to uncover.
It was surprisingly (or not) hard to find what this "Rabbit R1" device was (despite the `I assume by now that most people have heard of the Rabbit R1.`), so here is a paste from Wired:
"The promise was simple. Speak into the device and it'll complete tasks for you thanks to Rabbit's “large action models”—call an Uber, reserve dinner plans via OpenTable, play a song through Spotify, or order some food on DoorDash. Just speak and it will handle it, just like if you handed your smartphone to a personal assistant and asked them to do something for you."
I don't understand why an app on the phone wouldn't do that, but maybe I'm not hype enough.
On iOS the “problem” for a third-party app is that there is no mechanic by which it could always listen to your mic, and trigger actions based on keywords.
Only Siri would be able to do that on iOS.
Therefore, no third party can “become the platform” on iOS for voice assistants.
But who knows. Maybe EU will force Apple to open up for that at some point, like they forced Apple to open up for third party App Stores on iOS in EU.
iOS apps can record audio in the background with the provided API already so this isn’t actually a hold up
You can continue to record audio in the background, but you can't use the API to just listen all the time, like "hey siri" does, and then open the app and act on it.
You really have to watch the Steve Jobs-esque announcement video to understand what they were promising with this device, and understand how utterly it failed to deliver on those promises.
[delayed]
lol! I worked at Rabbit and left after reading through the codebase and being gaslit by the execs
Well? Aren't you going to spill some juicy details about the supposed "large action model"?
I believe the juicy details are "It's a marketing term for getting off-the-shelf LLMs to call out to pre-written browser automation scripts", but I'd love to hear it from the horse's mouth.
If you don't mind sharing, what were some of the first red flags that you noticed in the codebase? Looking at all these jailbreaks and vulnerabilities visible from the outside, I'm sure they only scratch the surface.
Good writeup on the process, but the amount of negative spin in the article left a bad taste in my mouth.
He says he didn't bother reporting the issue at first (!) but then later criticizes Rabbit for not responding to his July 12th e-mail in less than 2 business days.
However, Rabbit had already fixed the issue and released a security advisory on July 11th, a day before he finally decided to contact them. You can see their security advisory on their website, dated July 11th ( https://www.rabbit.tech/security-advisory-071124 ) To be fair, the post does bury this at the very end of the article, but it spends most of the opening sections talking about how much it "sucks" and leans heavily on the logging issue and their lack of response before eventually admitting that it was already fixed.
As of 11 July, we’ve made the following changes:
Pairing data can no longer be used to read from rabbithole. It can only trigger actions.
Pairing data is no longer logged to the device.
We have reduced the amount of log data that gets stored on the device.
The Factory Reset option is now available via the settings menu. Customers should use this option to erase ALL data from their r1 prior to transferring ownership.
There's an acrimonious relationship between Rabbit and hackers and both sides seem to keep escalating.
On July 12th, I asked Rabbit Inc. if they had any comments to make on the content of this article,
As of the end of July 15th, they have not responded.
Their lawyers are considering the options how to sue you.
This company is definitely wading through the trough of disillusionment. Excited what root on the device could open up.
I have been disappointed in its hackability; however, the joy I receive when watching my 10 year old dive into a topic of his choice with this neon orange LLM is worth far more to me than the $200 for my R1. During these summer months I let him stay up late with this as his only glowing screen and he basically uses it like I used Encyclopedia Brittanica, except much more deeply and with more interesting subjects. I think it's a great little piece of purpose-driven hardware.
I dropped my own ChatGPT subscription and use this if I need to do some heavy lifting. I know it won't last forever, but it will last until the company goes bottom-up -- and longer if we get more boottime control through tools like this.
I'm enjoying reading this, and I never paid much attention to the R1 product. "Carroot" was enough of a chuckle to merit the rest. :D
Cool write up!
The software looks garbage and the company doesn’t seem great either at this point.
But if it’s easy enough to run custom apps on (even/especially) in kiosk mode, I could imagine some pretty interesting use cases for this form factor.
Bonus points if you could just slap something together as a PWA too, as then it gets much quicker than programming an ESP32 + battery + screen, and in what looks like s pretty nice self contained unit.
Would be nice, ideally to be able to get it running more secure / without any Google services, something like GrapheneOS.
Having not looked at what’s out there (yet) does anyone know if people are using them in this way for custom single focus apps or have any pointers?
I could also build an entire custom kernel from source, but Rabbit Inc. has chosen to violate the GPL2 license and not make the sources available. Of particular note are their drivers for hall-effect scroll wheel sensing, and camera rotation stepper motor control, which are closed-source and yet statically linked into the GPL'd kernel image. Violations like this are hugely destructive to the free software ecosystem, from which companies like Rabbit Inc. benefit.
GPL requires you to disclose the license and source code on request, but Truth Social got away with not disclosing the license until someone realized they were using AGPL code, and only then released the source. I wonder if Rabbit will slip by doing the same.
Nobody would collect all this by accident, especially when considering the purpose of the product…
Certainly not by accident. It takes intentional effort to collect any data, let alone data like this where you have to really scrape. This is in my opinion exactly what the tech industry is all about these days. I generally favor a light touch with regulation, but the US desperately needs some privacy laws because this industry is absolutely out of control
I'd generally say that disclosure should be enough (and is currently insufficient in the US outside of California), but I am weary that much of your life now involves "Pay us with Venmo" or "Customer service via Twitter," such that one cannot really opt-out without paying a significant cost.
Problem is if our congress were to make laws they would make tough on terrorist laws to compel collection and storage of data for the good guys to get the bad guys easier.
We all seem to forget that the patriot act passed 99 to 1. Whereupon…
We promptly got rid of the 1.
We have bad leaders. Look at our Presidential candidates. We won’t get better outcomes until that condition changes.
Those are local log files on the device. The post says the subset of information sent to the server is smaller.
Uploading location data with requests is a feature of the device. It's supposed to take your location into account so you can ask it questions like "What's the weather forecast?"
The article is sparse on when the information is sent to the servers. If location data is being sent with requests, that's hardly a surprise.
No. The whole product is an abstraction to different software interfaces. If it sends data, it should sent it to the weather API, not to Rabbit servers nor even log it, because the information is relevant only at that moment.
Even if they route all traffic through their backend, their should log only errors. There is really no reason to store the location history on OS level.
That's not how the device works. The weather and location data are both context inputs to an LLM. The LLM produces the response and sends it to the device. The LLM runs on the server, not the device.
You can't have the device connect to a separate weather API unless you send keys to the device, which would require per-user access credentials (good luck finding a 3rd party provider happy to do that). It would also increase the number of round trips, which increases response delay, which is one of the primary complaints about the device.
Most likely they were collecting it all to make debugging easier.
Is this sent to the server all the time? Or just with requests? It shouldn't come as a surprise to anyone that a device designed to respond to questions like "What's a good restaurant near me?" is also sending location context with requests.
If they're sending a constant stream of location all the time for no reason, that would be concerning.
A device must store WiFi network names to reconnect to them. An IP address showing up in local logs isn't really surprising either.
Storing the user access token on the device is also a necessity for reconnecting without logging back in every time you turn it on. The fact that it's stored directly in logs isn't a good practice, but when those logs are stored on the same storage as the db or config file that contains them, it's also not really a new issue by itself. If they were uploading logs directly to their servers, that would be an issue of course.
Regarding storage of WiFi names:
That’s a weak excuse IMO. Firstly, the WiFi logic is probably entirely handled by Android, so the app doesn’t have to do anything with that. And that also doesn’t explain the WiFi names in logs. Or are they parsing their own logs to determine which WiFi to connect to? If it’s some structured data or a database, I would get it, but they surely aren’t logging something to reconnect to the mentioned WiFi names later.
The app handles the process of connecting to a WiFi network.
It doesn't have a standard Android interface. The only interface is through the Rabbit app, so by definition the app must also handle WiFi at some point.
The already released an update to reduce logging before this blog was posted.
I'm not defending their initial over-logging as a good security choice, but I do think it's being greatly exaggerated in this comment section. If you could access the device's storage, you could access the WiFi network name, period. The fact that it's in the logs, not just the config files/db, doesn't raise the severity of any vulnerabilities.
They do have reasonable grounds to say they need to send location data to their servers (although there is no setting to turn off geolocation), but there was no excuse for the local logging.
(And yes, it is sent periodically regardless of what you're doing, not as part of specific queries)